VPN connection is known (for example, refer to non-patent documents 1 and 2) that is utilized as a private dedicated network an open external network such as the Internet. That is, a firewall and a dedicated router or a bridge (a VPN gateway (VPN-GW) that link a connection between the outsides of companies and an intra-company connection) are disposed between an internal network (such as intranet) and an open external network (such as the Internet). The firewall manages data, protects the internal network from attack or illegal access from the outside, and links the Internet and intranet. Moreover, personal computers (take-out PCs), such as notebook computers, compatible with the internal network, can access from an external network to the internal network.
FIG. 37 is a diagram illustrating a network configuration in a prior art. This network configuration includes a firewall/VPN gateway (Firewall & VPN-GW) 30, which has an authentication device (an authentication module) disposed between the intranet 2 in “A” company (or “A” company's intranet) and the Internet 1, and a business server 23 on the “A” company intranet. A staff member of the “A” company can access the intranet 2, using a PC (personal computer) 102, in which a dedicated VPN software is installed via the Internet, taken out from his company.
An application (or a business client application) for realizing a linkage to the in-house business server 23 and the processing of predetermined affairs is installed to the (take-out) PC 102. An application (or a business server application), corresponding to the business client application in the PC 102, is installed into the in-house business server 23. (Both applications may be called a business application) The firewall & VPN-GW 30 is installed with an application (a relay application) having the function of linking the authentication module and the PC and the business server.
The procedure of the VPN connection in the prior art is as follows:
In the PC 102 taken out with a staff member of “A” company, a high-level administrator provides the member with a predetermined ID and a password to access the “A” company's intranet. At the same time, a default setting process (a), such as authentication setting regarding ID or password, is previously performed to the firewall & VPN-GW 30 to authorize access from the PC 102.
A staff member uses the PC 102 to access from his home or the outside of the “A” company's intranet to the intranet 2 using the ID and password. Thus, the PC 102 implements VPN connection to firewall & VPN-GW 30, for example, VPN connection (SSL connection) (b) where encryption between WWW browser and the WWW server and encryption based on the protocol (SSL (secure sockets layer)) regarding authentication function is performed.
When the authentication module performs the authentication process (c) to the access and determines that the password is correct, the firewall & VPN-GW 30 permits connection to the “A” company's Intranet 2, thus performing the address/frame conversion of packets through the VPN connection. Thus, the business application of PC 102 can bi-directionally communicate with the business application of the business server 23.
FIG. 38 is a diagram illustrating another network configuration in the prior art. The network configuration includes a firewall 30 disposed between an “A” company's intranet 2 and the Internet 1, a VPN gateway (VPN-GW) 210 connected to the firewall 30, and a business server 23 connected to the VPN-GW 210. Moreover, the Internet side includes a PC 102 including a VPN-GW, and a relay server (virtual HUB, SIP server and the like) 101 disposed for VPN connection of the Intranet 2.
The take-out PC 102 is installed with a business client application for connecting an office business server 23 and processing predetermined business, a relay application for relaying VPN connection to the business client application, and an application (setting application) for setting VPN connection with VPN-GW 210. The office business server 23 is installed with an application (business server application) corresponding to the business client application of the PC 102. The VPN-GW 210 is installed with a setting application for setting VPN connection to the PC 102 and a relay application for relaying VPN connection to the business server application for the business server 23. The vertical hub 101 is installed with an authentication module and a relay application.
The procedure of the VPN connection in the prior art is as follows:
The VPN connection (a) between the VPN-GW 210 and the relay server 101 is established previously. When the PC 102 provides access for VPN connection to the relay server 101, using the setting application and the relay application, the relay server 101 performs authentication (c) to the access. If the authentication is correct, the VPN connection from the VPN-GW 210 and the VPN connection (b) from the PC 102 are linked. Thus, the VPN connection between the PC 102 and the VPN-GW 210 is established. Using the two VPN connections, the relay application enables communications between the business application in PC 102 and the business application in the business server 23.
FIG. 39 is a diagram illustrating a further another network configuration in the prior art. The network configuration is similar to that in FIG. 38. The network configuration includes a firewall 30 disposed between the “A” company's Intranet 2 and the Internet 1 and a VPN gateway (VPN-GW) 220 and a business server 23, compatible with UPnP, which are connected to the firewall 30 on the Intranet. Moreover, the network configuration includes a relay server 103, such as a directory server, for VPN connection between the PC 102, including VPN-GW on the Internet side, and the VPN-GW 220 of the “A” company's Intranet 2.
The office business server 23 is installed with a business server application. The VPN-GW 220 is installed with a setting application for setting VPN connection, an UPnP application for receiving a universal plug and play (UPnP) advertisement to hardware connected thereto and capturing necessary setting information and performing the perforation setting to the firewall 30, and a relay application for relaying VPN connection to the business server application of the business server 23. The directory server 103 is installed with an authentication module. The PC 102 taken out of the company is installed with a setting application for setting VPN connection, a business client application corresponding to the business server 23, and a relay application for establishing the connection between business applications through VPN connection.
The procedure of VPN connection in the prior art is as follows:
The firewall 30 is previously set to perform UPnP advertisement where address information on the firewall itself and information on access operational procedure are transmitted to a UPnP compatible device such as VPN-GW 220 connected to the intranet, through an IP broadcast.
When being connected to the “A” company's intranet, the VPN-GW 220 receives (a) an UPnP advertisement from the firewall 30 and captures the setting address of the firewall 30 itself to set the firewall 30 based on the received information. Moreover, the VPN-GW 220 previously establishes connection (b) between the VPN-GW 220 and the relay server 103.
When the connection (c) is set up between the PC 102 and the relay server 103, using the VPN software, the relay server 103 authenticates the PC 102. When the authentication is correct, the relay server 103 links the connection from the VPN-GW 220 to the connection from the PC 102 (d).
Next, when the PC 102 requests VPN connection (a VPN connection request) (e) through a series of connections linked to the VPN-GW 220 via the relay server 103, the VPN-GW 220 performs the perforating setting (f) to the firewall 30 using the setting address obtained with the UPnP advertisement. Moreover, when the setting is completed, the VPN-GW 220 posts a completion of the perforating setting via the relayed connections to the PC 102. When the PC 102 receives the completion of the perforating setting (f), it performs the new VPN connection (g), through which the firewall 30 can pass through externally, based on the result of the perforating setting to the VPN-GW 220. Thus, the communication between business applications can be established via the VPN connection (g).    [Non-Patent Document 1]    “SSL-VPN appliance multi-application portable SAFEBORDER AP 100”, retrieved on Jun. 8, 2004” and Internet <URL:http//ccsd.biglobe.ne.jp/security/lineup/SAFEBORDER/#top>    [Non-Patent Document 2]    “SoftEther.com-SoftEther Web page, safe, simple, high-performance VPN SoftEther Virtual Ethernet System”, retrieved on Jun. 8, 2004, Internet <URL:http://www.softether.com/jp/>